-
Notifications
You must be signed in to change notification settings - Fork 7.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Not able to access any HTTPS external services using Istio #14264
Comments
@anoopl can you try deploying the sample sleep service and verify the behavior is the same from there?
Wait for the sleep pod to finish creating, then run the following:
I am using Istio 1.1.6 without any ServiceEntries. This check will help decide if it is a problem with config (i.e. VirtualService rules or istio deployment configuration) or a problem with your app image and the packages currently installed |
@GregHanson I tried that now, got the same error
|
based on Also, do you get any different behavior with a ServiceEntry defined? |
@GregHanson I tried the ServiceEntry already and tried it again now. It's the same error with ServiceEntry as well. |
To Post a most recent output. It's IPV4:
I think only at that point it tried IPV6 when IPV4 failed |
Final ipv6 bits recently went into master, I am not sure if they were cherrypicked into 1.1.4 or .6 I would start checking sleep why it listens on ipv6 instead of ipv4. I cannot repro this issue since I am travelling this week. Please send steps to repro, I will do it up on my return. |
@sbezverk @GregHanson
I think only at that point it tried IPV6 when IPV4 failed
|
Double-check the output from these commands:
and
Make sure you are running with the expected configurations and did not have anything lying around from a previous deployment Also, enable access logs if they are not already enabled (see here). Perform the curls from both apps again and check the corresponding sidecar access logs for an entry Additionally, check what rules you currently have created:
^^make sure the dates are not older than your current deployment. Can also append |
@GregHanson
So everything looks good. I have debug mode enabled for the proxies, I do not see any logs on istio-proxy logs related to this |
It's not just google.com. I have same error with any HTTPS url
|
If you install Istio with the amazing Bonzai operator, not only will you have a cleaner/better install of Istio, but outgoing https requests from INSIDE the cluster will work.
I'm running Istio 1.1.2. |
I've been having the same issue and finally resolved it today with help from this link.. For me, I was deploying a dedicated ingress gateway for my application and as part of that I added a port called 'http-port443'. Please also see here for an alternative workaround: #13914 (comment) This leads me to think that the problem is with how the sidecar forwards https traffic to the egress but I don't know enough about this to dig deeper and confirm if this is a bug or not. Hope this helps |
@chr15murray Thanks for the suggestion.
But I am not able to get the proxy-config cluster/route:
I am using the sleep.yaml from istio samples, |
I was able to get the proxy-config route working on another cluster. When i do :
On checking this services we found that this services using name HTTP for 443 port like:
I renamed it to HTTPS and checked the route which showed:
After this curl https://www.google.com worked all like expected. We have not enabled istio on this namespace. We do not know the reason for this bug. Thanks @chr15murray helping me on debugging this. Thanks to everyone. |
@anoopl Had the same issue, HTTP service was created for port 443 in some other namespace which caused all https calls to external services to fail. Fixed it by changing the offending service. |
Thanks for the messages, we encountered the same issue (running on 1.1.5) and fixed it with this solution. I see the issue is closed but no reference to any PR or change. Does that mean it is an expected behaviour of Istio? Or a bug? If a bug, has this been fixed in later versions? |
I had a similar issue with an HTTP port on 443 breaking outbound HTTPS. The root cause is being tracked in #16458 The egress TLS origination is currently incorrect and will trigger this bug. |
I had same issues with name HTTP. I configured the service to 443 port with name http, and all the external traffics were blocked. Is there any resolution to solve it ? or any version that doesn't have that bugs? |
I have experienced the same issue when I configured a service entry with http protocol on port 443. Do we have any solution on recent releases? |
I am still experiencing this issue on version 1.12.0 😞 |
We have Istio cluster running on 1.1.6 and 1.1.4
We have similar issue on both the clusters that not able to access any external HTTPS url like Google. We do not have any Service Entry and mTLS is disabled cluster wise. There is no logs on the istio-proxy side car.
Where should we look for some debug information. Any help on this would be great
We run Kuberenetes v1.13.2 with Weavenet CNI
We have this issue only with pods that have istio sidecar
The text was updated successfully, but these errors were encountered: